New EU directives to raise common level of cybersecurity, bring about change in risk ownership

The European Union (EU) rolled in last month two fundamental directives that work towards augmenting the durability of physical and digital infrastructure against potential cybersecurity threats, risks, and attacks across critical infrastructures that include power grids, the transport network, and information and communication systems. These directives cover the NIS 2 Directive which includes measures for a high common level of cybersecurity across the EU; and the resilience of critical entities (CER) directive that works to widen their scope across critical sectors and bring about more unified cybersecurity rules in the region.

NIS 2.0 has come into effect and EU member states have 21 months to incorporate the new provisions into their national legislation. The new rules enhance the role of the Cooperation Group in shaping strategic policy decisions and increase information sharing and cooperation between member state authorities. It also builds operational cooperation within the Computer Security Incident Response Team (CSIRT) network and establishes the European cyber crisis liaison organization network (EU-CyCLONe) to support coordinated management of large-scale cybersecurity incidents and crises.

Industrial Cyber sought out experts in the cybersecurity field to evaluate the effects of the NIS 2.0 initiative on the cybersecurity posture of asset owners and operators in the region. The rollout of the EU-wide legislation on cybersecurity aims to achieve a high common level of cybersecurity across the member states, in response to the growing threats posed by increased digitalization and the surge in cyber attacks. 

The NIS2 Directive will increase the common level of cybersecurity in Europe and to this end expands its scope to new sectors, Marianthi Theocharidou, a cybersecurity expert at European Union Agency for Cybersecurity (ENISA), told Industrial Cyber. “One way to achieve this is by setting out the baseline for cybersecurity risk management measures across the sectors that fall within its scope (Article 21).” 

Theocharidou said that the directive prescribes an all-hazards, risk-based approach and shall include at least the following measures:

(a) policies on risk analysis and information system security;

(b) incident handling;

(c) business continuity, such as backup management and disaster recovery, and crisis management;

(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;

(e) security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure;

(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;

(g) basic cyber hygiene practices and cybersecurity training;

(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;

(i) human resources security, access control policies, and asset management;

(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems within the entity, where appropriate.

“Essentially, the NIS2 Directive is a continuation and a consolidation of the NIS1 approach in relation to incident reporting,” according to Theocharidou. “Asset owners and operators will need to notify incidents to the relevant authority and/or to their CSIRT within 24 hours as an early warning (article 23a) and within 72 hours for a full incident notification (article 23b). The directive also introduces an obligation for the competent authority or CSIRT to give initial feedback to the reporting entity without undue delay and where possible within 24 hours.”

The EU Agency for Cybersecurity, ENISA provides guidance on the formats and procedures. In addition, information reported about these cyber threats and incidents should be shared with the competent authorities in line with the critical entities resilience directive EU 2022/2557 (article 23, 10), Theocharidou added. “ENISA will assist Member States and the Commission to identify measures for supply chain security to be applied to the entities, and to replicate the risk assessment exercise on 5G for specific technologies.”

NIS 2.0 will have significant implications for asset owners, operators, and their corresponding supply chains, Trevor H. Rudolph, Vice President for global digital policy and regulation at Schneider Electric, told Industrial Cyber. “The updated directive significantly widens the scope of regulated entities, from a few hundred to several thousand entities, when compared to NIS 1.0. In addition to increased scope, regulated entities will have new obligations to maintain robust cybersecurity protections and to report significant cybersecurity incidents to relevant authorities.”

That said, Trevor Rudolph added “to gain a full picture of NIS 2.0’s implications, global organizations must pay close attention to the transposition process within each member state. Schneider Electric strongly supports NIS 2.0 and the enhancement of cybersecurity protections across the European Union and encourages, wherever possible, member state alignment on requirements to avoid ending up with 27 divergent approaches to NIS 2.0.”

Asset owners and operators will need to invest, not only in technology and processes but in their people, starting by making them aware of how the directive affects each of their roles and responsibilities, Fernando Guerrero Bautista, senior industrial cyber expert at Airbus Protect, told Industrial Cyber. “The cybersecurity posture will most likely grow in most of the affected organisations (medium and large-sized companies), and it will not only be relative to its reach but to its maturity level. Stricter requirements imply not only more dedicated, specialized, and constant efforts but also a higher risk of costly penalties (up to 10 million euros) when non-compliance is identified.”

Agustín Valencia Gil-Ortega, OT security business development for Spain and Portugal at Fortinet, told Industrial Cyber that “we could say that, for private entities, the greatest change will be the change in risk ownership. NIS 2 is clearly pointing to the boards, and this means a lot of changes, maybe equivalent to changes in companies when Sarbanes Oxley (SOX) Law was set, and a first step was made with DORA for bank entities.”

“We are speaking of breaking technological silos, no more IT or OT, cybersecurity will become a real part of the digital transformation, from the business case analysis to the holistic risk management,” according to Valencia. “The role of the CISOs will be strengthened in the organizations, as they will have a more global view of the processes and initiatives implemented. They will assess new initiatives’ risks as technology evolves but also as threats evolve for the existing assets. They will play a key role in helping to identify pain areas and establish proper KPIs and KRIs depending on the different maturity levels and criticality of businesses. But again, as risk ownership will belong to the board and business executives, CISOs will play a key role but spending decisions will also mean risk appetite,” he added.

This said, “we will see a lot of improvements in cyber risk oversight and cyber risk quantification, maybe not in the short term, but not so far either,” Valencia added. “On the other hand, how governments will behave with public entities is a mystery. NIS was very useful to empower CISOs in public entities, giving reasons to give them a better position for proper visibility and more resources. However, we will have to wait how the concept of risk ownership for the board of a public company with a public budget to be assumed, maybe this also led to a more important role of legal tech positions,” he added.

The executives also look into the challenges that companies are likely to face as they move into the implementation phase of the directive. Additionally, they also assess the broader long-term implications of the EU-CyCLONe to support the coordinated management of large-scale cybersecurity incidents and crises.

“Composed of the representatives of Member States’ cyber crisis management authorities, the EU-CyCLONe was launched in 2020. Their role is to support the coordinated management of large-scale cybersecurity incidents and crises,” Theocharidou said. “ENISA provides the Secretariat, infrastructures, and tools to enable effective cooperation with the goal to ensure the secure exchange of information.”

She added that the EU CyCLONe will have multiple aims including increasing the level of preparedness for the management of large-scale cybersecurity incidents and crises, developing a shared situational awareness for large-scale cybersecurity incidents and crises, assessing the consequences and impact of relevant large-scale cybersecurity incidents and crises and proposing possible mitigation measures, coordinating the management of large-scale cybersecurity incidents and crises and supporting decision-making at a political level in relation to such incidents and crises, and discussing national cybersecurity incident and crisis response plans.

“Although the network has been working to its full capacity for the past 2 years, and is already engaged in the cooperation between appointed national agencies and authorities in charge of monitoring cyber crises, it is yet too early to foresee how the role of the network will evolve and how the new provisions of NIS2 will impact companies as all decisions to allow them to comply are yet to be made,” according to Theocharidou.

“For small and medium-sized enterprises (SMEs), the implementation challenge will lie in investing in the tools and processes required for the reporting of significant cyber incidents and for the enhanced cybersecurity obligations called for in NIS 2.0,” Trevor Rudolph said. “To minimize the hardship for SMEs, cybersecurity national agencies (like ANSSI for France) will soon issue guidelines and share expertise.”

Trevor Rudolph also said that for companies with a transnational presence, the challenge lies in the potential conflicting transpositions among member states. “Indeed, many large-scale companies have already put in place requirements such as secure development lifecycle and other processes to protect their operations, the level of investment and adaptation required to meet different transpositions will be challenging. Schneider Electric, therefore, calls on the NIS 2.0 Cooperation Group to harmonize as much as possible the NIS 2.0 domestic transpositions and to have a keen eye for the avoidance of unnecessary trade barriers,” he added.

On EU-CyCLONe, Rudolph said that “we believe the initiative will play an important role in the success of NIS 2.0 implementation. We are optimistic that EU-CyCLONe will become the missing cross-border link to better manage transnational cyber crises.”

Bautista said that companies will face many challenges while implementing the directive. Efforts to work on a comprehensive and holistic approach will be high, as the complete cybersecurity lifecycle is expected to be compliant with NIS2. “Companies will have to work on preparation activities (implement an organisational structure to create a strategy, implement, operationalize, maintain, and improve it). They will also need to have a comprehensive understanding of the infrastructure and requirements to comply with. Finally, they will need to perform self-assessments, understand their risks, and design mitigation measures,” he added.

“EU-CyCLONe enables collaboration at different levels (member-to-member, industry-to-industry, punctual member support) which is the most challenging part of it, but also the one which requires long-term commitments from all parties to make it work,” according to Bautista. “It covers information sharing, crisis management and decision support, call for standardized taxonomies and in-depth understanding of specific scenarios and infrastructure (specifically for industrial cybersecurity) in order to provide top-notch results.”

Valencia said that many aspects are involved but perhaps could be summarized in two: cyber risk deep adoption and business assets integration. “Understanding cyber risk deep adoption means that cybersecurity is at the same level as other key risks to be handled by the board, therefore, we are not only speaking of compliances (whose importance increases too) but also a deep understanding of impacts on the process, direct or crossed with other sectors interdependences and considering supply chain impacts,” he added.

“When speaking of business assets integration, we are speaking of extending governance from the CISO level to the business level and extending technological cybersecurity capabilities to all levels of business, and to be managed by businesses although they get support from cybersecurity and IT departments,” according to Valencia. “Both challenges, at the board level and at the business level, mean a complete change in the mindset comparable to real digital transformation plans. But with a difference, although there is no digital transformation initiative, NIS 2 will force to adopt such a change to face the risks that many are suffering for the last years.”

On the other hand, Valencia pointed out that as NIS 2 pursues a greater degree of harmonization, companies with a presence in different EU countries should have some tasks simplified, and less effort for administrative adaptation that can be employed to mature controls homogeneously.

Valencia said that there are a lot of implications of the EU-CyCLONe. NIS 2.0 seeks a better harmonization than NIS 1 achieved, and EU-CyCLONe will improve efficiency enormously if such a level of desired harmonization among the state members is finally achieved. “It should also mean better adoption of local CSIRTs, thus better integration among national policies and Interpol and maybe with other entities such as NATO or World Economic Forum, it would also be a good impulse for better threat intelligence exchange with the key players in cybersecurity,” he added. 

Under the NIS 2.0 directive, the EU will also join the U.S. and other countries in mandating stricter incident reporting requirements. The legislation will mandate that organizations across the board report cyber breaches and attacks within 24 hours of becoming aware of the incident. Companies that fail to do so can face steep fines. The executives look into how feasible is it for industrial asset owners and operators across critical infrastructure sectors to report cyber breaches and attacks within 24 hours of becoming aware of the incident.

Theocharidou said that the mechanisms and practical procedures still remain to be established. “National authorities will consult each other and ENISA, together with its stakeholders will provide support and guidance,” she added.

“The 24-hour ‘early warning’ report will be challenging for corporations of all sizes. Understanding what constitutes anomalous behavior that should or should not be reported to authorities will take time,” Trevor Rudolph said. “My assumption is that most corporations may overreport resulting in more ‘noise’ than is actually helpful to national authorities. However, through collaboration between national authorities and the private sector, we may get this early reporting to a point that is consistent with the goal of NIS 2.0, which is inoculating the entire system from malicious actors as rapidly as possible,” he added.

This is a key question as the skills shortage within IT and cybersecurity is still massive, Valencia said. “NIS2 should be the final impulse to adopt initiatives such as segmentation, visibility, inventory, monitoring, and detection to the deepest extents. This will also force organizations to embrace the problem of resources, both from an investment and workforce perspective, to make decisions for short-term and long-term towards incorporating and training workers.”

“Between an increasingly complex threat landscape that has exponentially increased the number of security alerts, the growing cybersecurity skills gap, and the complicated compliance and reporting regulations security teams must abide by, organizations are struggling to ensure rapid and effective incident response,” according to Valencia. 

Fortunately, the integration and automation of security information and event management (SIEM) or Endpoint Dynamic Response (EDR), both adopted for OT environments, can go a long way to prioritizing alerts and simplifying incident response, Valencia said. “Further, security leaders must leverage the capabilities of automation and other AI-driven innovations to alleviate overburdened security teams: SOAR, reconnaissance, attack framework, threat intelligence, and security operations.”

Bautista said that it really depends on how mature the incident response process is for such companies. “Experience shows that there are many factors which affect incident handling for industrial environments, namely the number of stakeholders, number of unknown assets within a network, number of unknown vulnerabilities, lack of well-established procedures and an organisational structure with clear responsibilities defined,” he added.

“It is not unusual to have technical malfunction events in industrial environments, as such, the response capabilities to cyber-related incidents are impacted,” according to Bautista. “Additionally, in most cases, the support of the vendor and other third-parties is required to solve issues from different natures on industrial assets. This will make a 24-hour report very challenging, but not impossible with the right framework in place.”

The experts explore the shortcomings that they expect these agencies to face as they work towards meeting the NIS 2.0 directive. Additionally, they also look into how the ongoing geopolitical turmoil affects the implementation of the directive.

Theocharidou said unfortunately, “we are still too early in the process to anticipate circumstantial developments possibly impacting the implementation and to thus provide an answer to these questions. Today’s geopolitical context is inevitably changing in the cyber threat landscape and appropriate mitigation strategies are necessary, particularly to protect our critical sectors.”

“Today’s geopolitical dynamics are certainly challenging, but I am hopeful that there is room for cross-regional and global cooperation in cybersecurity,” according to Rudolph. “I was encouraged, for example, by the recent joint statement from the U.S.-EU Trade and Technology Council (TTC) where the two governments stated their desire for collaboration in the area of cybersecurity standards, and that the US-EU Cyber Dialogue would be a central place to facilitate such collaboration.”

Trevor Rudolph also added that he is “convinced that the implementation of NIS 2.0 and the recently published Cyber Resilience Act will have an impact well beyond Europe, which will make transatlantic and global cooperation in cyber space more important than ever before.”

“In such a complex environment as European cyber space, new challenges arise every day. This is also true for the implementation of NIS2,” Bautista said. “Agencies might be affected by the lack of manpower to control, audit, and respond. Companies responsible to fulfil requirements face the same issue. There is even more pressure if you consider the timeline for implementation of requirements. Two years might be enough for some small and medium-sized companies, but when the context is more complex as with large enterprises and some medium-sized critical infrastructure companies, time is an important constraint. A well-performed prioritization to implement protective/corrective measures should be the first item to be tackled.”

“The number of cyberattacks has risen quite dramatically since the war in Ukraine started, affecting primarily Ukraine itself but the rest of Europe as well,” according to Bautista. “In this context, NIS2 provides the right tools to speed up the implementation of lessons learned from those attacks. Prevention, operational readiness and collaboration in cyber defence are key, not only to be prepared for future threats but to overcome the current ones. The risk exposure has also increased, therefore, the countermeasures to protect especially the most critical assets might need to be enhanced.”

One great aspect is the skills shortage, Valencia highlighted. “It is very common to have teams with people-for-all, maybe in IT with sysadmin and cybersecurity tasks but similarly in OT with the process and, if enough time, some cybersecurity tasks -mostly patching and SCADA antivirus signature updates. It is very probable that the level of specialization for SOCs will make companies adopt MSSPs schemes, which will also help to better determine the needs for each specialization,” he added.

“For the OT part, it might be more difficult, and that is why OT cybersecurity professionals are so valued because they need to understand both cybersecurity technologies and process automation technologies to be able to propose meaningful deployments of security solutions that take into account processes criticality for ideal approach,” Valencia said. 

On the geopolitical turmoil, Valencia said nothing like a real threat for the potential targets to improve their defenses. “Unfortunately, but thanks to this situation, most of the European countries will be increasing rates of information sharing, but also increasing the number of agencies to collaborate in each country with their homologues in the rest as long as the Russian threat keeps credible.”

Maybe, specific cyber exercises such as NATO’s Lockshields (cyber-attacking and cyber-defending energy infrastructures) will be performed more frequently and even involve personnel from critical infrastructures although not military and who knows if extended to other critical sectors, Valencia concluded.